Some Internet fraud involves attempts by a fraudster to intrude on a legitimate user's authorized web session by executing parallel transactions alongside the legitimate user's transactions, hijacking the legitimate user's session for fraudulent purposes such as theft, defamation, vandalism, or notoriety. Often, the hijacking is executed by session fixation or as an external sidejacking, in which some or all of the hijacker's transactions are conveyed through separate channels from those of the legitimate user. For example, a sidejacker in a local area network (LAN) may use a separate channel to avoid detection by others in the LAN. In a man-in-the-browser attack, a fraudster may use a separate channel to avoid the additional delay of routing transactions through the legitimate user's browser. In a man-in-the-middle attack, a fraudster may use a separate channel to avoid selectively blocking responses to fraudulent requests from going back to the legitimate user.
A conventional approach to intrusion detection and prevention involves monitoring transmissions to a protected website for transmissions using more than a single concurrent IP address. Because such concurrent addresses may signify sidejacking or a related attack, the conventional approach further involves thwarting, delaying or isolating transactions with the protected website by such suspicious sources.